Records, Privacy, and Declassification Division

RPDD Programs

OSD/JS Privacy Program

Mission Statement

The OSD/JS Privacy Office is a branch of the Executive Services Directorate, Washington Headquarters Services. The office provides guidance and direction to members of the Office of the Secretary of Defense and the Joint Staff as it relates to the Privacy Act of 1974, as amended.

Basic Privacy Principles

Privacy issues are implicated in a wide range of activities in both our personal and public lives.

Our concept of Privacy includes:

Control of information concerning our personal life.

Freedom from intrusion upon one's seclusion.

Limits on publicity that places one in a false light.

Prevention of identity theft, and the theft of one's name or likeness.

Right to keep personal information confidential.

General Privacy Principles for Public and Private Sectors:

Personal information should be acquired, disclosed, and used only in ways that respect an individual's privacy.

Personal information should not be improperly altered or destroyed.

Personal information should be accurate, timely, complete, and relevant to the purpose for which it is provided and used.

Privacy Impact Assessment (PIA)

Report an OSD/JS Breach

1. Report the Breach to US-CERT.Note: Non-cyber related (paper) incidents should not be reported to US-CERT, they should be reported to your agency’s privacy office within one hour of a suspected or confirmed breach. If this is a paper breach, skip to step 2.

Navigate to the link below within one hour after discovery to access the US-CERT Incident Reporting System. Review the instructions provided and complete the on-line questionnaire.

2. Report the Breach to your Senior Component Official for Privacy and OSD/JS Privacy Program.

If there is a suspected or confirmed Privacy breach, report it immediately, fill out the Form DD 2959, Breach of Personally Identifiable Information (PII) Report.

After you complete the form, submit it to the OSD/JS Privacy Program within 24 hours after discovery. NOTE: This form should also be used to report updates to previous submissions.

3. The OSD/JS Privacy Program, in conjunction with the reporting component, will submit the Form DD 2959 to the Defense Privacy, Civil Liberties and Transparency Division within 48 hours.

4. Conduct and document an assessment of the risk of harm to individuals potentially affected. If determined and approved by your senior leadership, notify the affected individuals of the breach.

Notification must be made within 10 days of the discovery of the incident. You will need to have the mailing address for each affected individual and be able to address the unique issue(s) pertaining to each breach. See DoD 5400.11-R, Appendix 2 for a sample notification letter.

5. Notify the appropriate Congressional Committee pursuant to FISMA no later than seven days after the date on which there is reasonable basis to conclude that a breach that constitutes a “major incident” has occurred.

A "major incident" is defined as “any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.”

The impacted agency is ultimately responsible for determining if an incident should be designated as major and may consult with US-CERT to make this determination. (See OMB Memorandum M-17-05, dated Nov. 4, 2016).

Contact Us With Any Questions, Comments, or Concerns

General Privacy Act Questions

Please send your general privacy question, along with your name, phone number and email address to the OSD/JS
Privacy Office at the below email address.NOTE: This email is NOT for privacy act requests.OSD/JS Privacy Inbox

Privacy Act Requests

NOTE: Privacy Act requests (e.g. records about you and retrieved by your name or identifier) must be submitted IN
WRITING; must be signed by you; and include the name and number of the system of records notice which can be
found at SYSTEM OF RECORDS NOTICES (SORNS). Privacy Act requests cannot be submitted electronically; please use the below mailing address or fax.

If you have privacy related questions or would like to schedule an agency live training session, please email the OSD/JS Privacy Inbox with your request and we will contact you for additional details and scheduling.
Privacy training is also available on iCompass.